7

I'm doing some cleanup on an AWS account and I see many roles that I'm almost positive are not being used. The account has many services being used so a manual check is impractical.

Is there a way to know how many times a particular AWS Role is being used? And if possible, which service and/or instances are using it?

Julian
  • 505
  • 3
  • 6
  • 15
  • I guess you could use the API to list running instances and their roles, dump the information to a file, then analyze that way. You may even be able to search by IAM role, but I haven't checked that. – Tim Sep 19 '16 at 19:03
  • @Tim I'm kind of already doing that except that Roles can be assumed by many other things other than EC2 instances. In fact there are scenarios where Roles can be set up for use by a service but nothing is actually created by them, for example when creating a Beanstalk environment, you can set it to make it's EC2 instances assume a specific role, but if the environment can't create instances for some reason -or is being created- then there is nothing with that particular Role yet it IS being used for something valid so I should not delete it. – Julian Sep 19 '16 at 19:21
  • That's why I said "instances" not just EC2 instances, but yes inactive servers could use roles currently not assigned. Given this I don't think there's a good answer to this question, but I'll watch with interest to see if anyone else has a good suggestion. – Tim Sep 19 '16 at 19:36
  • @Tim Ah, my bad. Thought you meant EC2 instances. – Julian Sep 19 '16 at 19:53

4 Answers4

10

There currently is no method using SDKs for the AWS CLI to get the last accessed time of an IAM role. I confirmed this today with AWS support.

Currently, the only way is to use the AWS Management Console.

  1. Select your IAM role
  2. Click the "Access Advisor" tab.
  3. The contents of this tab will display the last access time for each of the various services (S3, EC2, etc.)
Matt Houser
  • 9,709
  • 1
  • 26
  • 25
  • 1
    Did tech support mention the CLI in particular? How about other SDKs? I'm marking this as the answer as Amazon's tech support is probably the closest we're gonna get to an answer. Unfortunately this answer suffers from the same problem as stated above in the comments for the original pos too: if the role hasn't been used yet but *is* assigned, removing it will break something. – Julian Sep 20 '16 at 14:00
  • 1
    Support said there is no public API for it, which covers all SDKs and the CLI. – Matt Houser Sep 20 '16 at 14:54
  • 1
    [This SO post](https://stackoverflow.com/questions/46795348/get-aws-iam-policy-access-advisor-records-from-cli-or-sdk) led me to [this Netflix blog post](https://medium.com/netflix-techblog/introducing-aardvark-and-repokid-53b081bf3a7e) to address this programmatically. – jlucktay Jun 15 '18 at 09:27
0

For ec2 instances I just searched via role name in ec2 search options and it helped me. As we see IAM role is shown in description of ec2 instance. Also for other resources we could track the role attached or not. So this leads that the role should contain in name some labels to point to use of scope.

So my answer is that before creating roles we should use some naming rules for roles that later we could easy maintain those created roles.

Janis Karklins
  • 101
  • 2
  • How does it connected with topic? – Alexey Vazhnov Jun 18 '20 at 11:26
  • so if role is used it will be attached to instance if not it is not used via instance. – Janis Karklins Jun 18 '20 at 11:46
  • EC2 is not only one type for IAM role: IAM role can be attached, for example, to Lambda. – Alexey Vazhnov Jun 18 '20 at 17:55
  • That is great conversation thank you @AlexeyVazhnov . Yes maybe it is not fitting this question but this conversation leads to the roles naming. So need to attach some word for role or pointing to a scope of use. So then we could track the scope of resource where it is attached. For me seams that role name should express some field. – Janis Karklins Jun 19 '20 at 10:40
0

Check the tab "Access Advisor" when you choose a Role or Users. Thaat tab gives you info about the last accessed services by the user/role.

Conti
  • 101
  • 2
0

If you're using an IAM user with the awscli you can just do: aws iam get-user

Which will print the current IAM user information like:

{
  "User": {
    "UserName": "vasco",
    "PasswordLastUsed": "1999-01-01T00:00:00Z",
    "CreateDate": "1999-01-01T00:00:00Z",
    "UserId": "AFUIDGSDOGDOG",
    "Path": "/",
    "Arn": "arn:aws:iam::235534637458:user/vasco"
  }
}
vascop
  • 101
  • 1